-
Notifications
You must be signed in to change notification settings - Fork 0
/
ec2.tf
112 lines (97 loc) · 2.85 KB
/
ec2.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
locals {
vault_interpolation_vars = {
"region" = data.aws_region.current.name
"vault_version" = var.vault_version
"vault_fqdn" = var.vault_fqdn
"vault_bucket_name" = var.vault_bucket_name
"vault_autounseal_key_id" = aws_kms_key.vault_autounseal.key_id
}
}
resource "aws_instance" "vault" {
count = var.vault_count
ami = data.aws_ami.base_ami.id
instance_type = var.vault_instance_type
# We're doing some magic here to allow for any number of count that's evenly distributed
# across the configured subnets.
subnet_id = var.private_subnets[count.index % length(var.private_subnets)]
key_name = var.vault_key_name
iam_instance_profile = aws_iam_instance_profile.vault_instance_profile.name
disable_api_termination = false
vpc_security_group_ids = [
aws_security_group.vault_sg.id,
var.utility_accessible_sg,
]
tags = {
Name = "Vault Server ${count.index + 1}"
PatchGroup = local.ecs_patch_group_name
}
user_data = base64encode(templatefile("${path.module}/templates/vault_user_data.sh", local.vault_interpolation_vars))
}
resource "aws_iam_instance_profile" "vault_instance_profile" {
name = "vault-ec2-role"
role = aws_iam_role.vault_role.name
}
resource "aws_iam_role_policy_attachment" "vault_permissions" {
role = aws_iam_role.vault_role.name
policy_arn = aws_iam_policy.vault_policy.arn
}
resource "aws_iam_role" "vault_role" {
name = "VaultEC2"
description = "Houses required permissions for Vault EC2 boxes."
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
data "aws_iam_policy" "aws_ssm_default" {
name = "AmazonSSMManagedInstanceCore"
}
resource "aws_iam_role_policy_attachment" "add_ssm_for_patching" {
role = aws_iam_role.vault_role.name
policy_arn = data.aws_iam_policy.aws_ssm_default.arn
}
resource "aws_iam_policy" "vault_policy" {
name = "VaultDynamoDB"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeLimits",
"dynamodb:DescribeTimeToLive",
"dynamodb:Listtags =OfResource",
"dynamodb:DescribeReservedCapacityOfferings",
"dynamodb:DescribeReservedCapacity",
"dynamodb:ListTables",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:CreateTable",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:GetRecords",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:UpdateItem",
"dynamodb:Scan",
"dynamodb:DescribeTable",
"s3:*"
],
"Resource": "*"
}
]
}
EOF
}